Over the next five years, British Columbia’s School District 23 hopes to equip about 8,000 students with laptop computers. The kids will use their laptops at school and take them home at night. That creates some security headaches for Jon Rever, district principal for technology and learning services at the central Okanagan school district.
The district needs to ensure the laptops don’t pick up viruses and introduce them into the network. To do that, the district is relying on two pieces of software. One is a package called Deep Freeze, from Vancouver-based Faronics Corp., that blocks permanent changes to the Windows operating system’s registry. “If a virus does somehow manage to infect the system,” Rever says, the solution is to turn the machine off. “When you turn it back on, it’s gone.”
The district is also using Cisco Systems Inc.’s Security Agent, which lets network administrators enforce policies on the use of the laptops and reacts to suspicious software behaviour. Rather than relying on virus signatures as mainstream antivirus products do, Rever says, the security agent looks for suspicious behaviour, blocks it and reports it to the administrator. The Cisco software will also enforce policies controlling what the laptops can do. For instance, it can prevent students from downloading and installing executable files.
This is part of Cisco’s Self-Defending Network strategy, which aims to build security directly into the network. For School District 23, this doesn’t replace stand-alone tools such as DeepFreeze and standard anti-virus software. But it reflects a growing belief that such tools on their own don’t offer enough protection, and security should be built into the network infrastructure.
“We see this stuff disappearing into the architecture,” says Peter Cresswell, national practice manager for security at Bell Business Solutions Inc. “There’s an over-all understanding that that’s the way things should be, that there needs to be intelligence in the infrastructure … to help provide a network security or control layer.”
Tom Slodichak, chief security officer at Burlington, Ont.-based WhiteHat Inc., says networking vendors have become “very aware” of security problems.
“They’re taking steps to build security right into the machines themselves,” Slodichak says.
And yet most enterprise networks use hardware from multiple equipment vendors, and manufacturers take varying approaches to building security smarts into network gear. So building security into the network isn’t always simple. And some argue that, given that complexity and the fact that security needs change faster than basic network infrastructure, security functions are better separated from the basic building blocks.
This isn’t an all-or-nothing decision. Building more security functions into network routers, switches and other devices doesn’t mean dispensing entirely with stand-alone security devices such as firewalls, and the choice of exactly how much integration is the right amount depends on the individual organization and its infrastructure.
Cisco’s Self-Defending Network strategy is a prime example of a switch and router vendor integrating security into network gear.
Multi-layered security
Alex Thurber, director of security for Cisco’s worldwide channels organization in San Jose, Calif., says that with the growing number and sophistication of network attacks, only a multi-layered security approach will do. Effective security now requires close integration with network infrastructure, Thurber maintains, so the more tightly linked the functions are, the better.
For instance, says Thurber, using signatures of known viruses to detect those threats is no longer enough when new viruses often appear close on the heels of vulnerabilities being discovered and can spread around the globe in hours. Protecting against these “zero-day” attacks requires that networks detect suspicious activity and react to it right away — for instance, by blocking or throttling the offending machine’s network access until the problem can be repaired.
Cresswell notes that while network equipment vendors like Cisco and Brampton, Ont.-based Nortel Networks Corp., tackle this issue by incorporating security functions in routers and switches, Microsoft Corp. is taking aim at the same problem with added security functions in the server and client operating systems.
Vendor lock-in versus ecosystem approach
Cisco’s Network Admission Control (NAC) technology can determine who is connecting to the network and that they conform to security standards. For instance, if an employee attempts to connect via a remote notebook, NAC might check that the notebook’s anti-virus software and signatures are up to date, and push updates if needed before giving it access. The only way to do this effectively is at the network level, Thurber claims.
There is another view, typified by 3Com Corp. and an approach the Marlborough, Mass., networking vendor calls the Bi-Planar Network.
According to Neal Hartsell, 3Com’s vice-president of product marketing, Cisco’s motivation is that as a dominant network equipment vendor, it needs to add new features to sell new routers. But he argues strategies like the Self-Defending Network work best for customers using only one vendor’s products — and “there is almost no enterprise network in the world that is 100 per cent Cisco and 100 per cent Microsoft.”
So Hartsell derides the Self-Defending Network as “basically a vendor lock-in play,” and advocates instead an “ecosystem approach” that will let best-of-breed security products work with whatever network infrastructure a customer has in place.
Hartsell also argues that, with security needs changing faster than network infrastructure, building security into network gear may force otherwise-unnecessary hardware upgrades as security needs evolve. “Why would you couple two things together that essentially are evolving at very different rates of speed?”
Cresswell agrees that interoperability remains an issue with building security into network gear. “They’re all saying they’re going to work together,” he observes. “They’re just not doing it yet.” Therefore, he says, it’s difficult to wholeheartedly buy into any vendor’s built-in security blueprint unless the customer has a single-vendor network. “Really, it’s something that you’re watching for the future,” Cresswell maintains.
Thurber says Cisco is trying to address these concerns by working with security vendors – even competitors – and submitting some of its technology to standards bodies.
For instance, he says, the company has created a group of more than 60 technology vendors around NAC to help ensure devices from different suppliers can exchange information smoothly.
Greg Murray, vice-president and practice lead for information security at consulting firm PricewaterhouseCoopers in Toronto, says that while initiatives like the Self-Defending Network are good, network vendors are only addressing part of the problem anyway. “It’s not just about network layer protection any more, it’s about integrated business service protection,” says Murray. “Even if you had a single-vendor solution at the network layer, you would need to integrate that with the remainder of your security infrastructure.”
“In the end you’re not going to be able to depend on a single vendor, because they’re going to have a very monolithic approach,” says Slodichak.
What can be done, he adds, is to find ways of getting various security devices to talk to each other. This makes it possible to collect and correlate events from the various devices, which can improve security and help meet corporate governance requirements.
Firewalls within the network
For instance, Ryerson University in Toronto is now beta-testing an appliance that will integrate logs from all its firewalls and produce comprehensive reports to help the university improve its security further, says Larry Lemieux, the university’s assistant director of IT support.
The university serves two major groups of users: Students and researchers want easy access to the campus network from public access computer labs, libraries and so forth, while administrative staff need applications such as financials and payroll to be secure. “You can imagine we don’t want anyone going in and changing a student’s grades,” Lemieux says.
Ryerson not only has firewalls at the perimeter of the network, but firewalls within the network that filter traffic based on the MAC address of the PC and the type of traffic. This provides a defense against distributed denial of service attacks, for instance. Employees who connect to the network remotely also do so through virtual private networks.
“I think that in order to protect your network you always need a combination of technology,” Thurber concludes, “so I wouldn’t say just rely on routers with security code in them any more than I would say just rely on a firewall.”